[Python-Dev] Status of packaging in 3.3 (original) (raw)

Paul Moore p.f.moore at gmail.com
Fri Jun 22 13:27:19 CEST 2012

On 22 June 2012 11:28, Dag Sverre Seljebotn <d.s.seljebotn at astro.uio.no> wrote:

And I'm saying that would encourage a culture that's very dangerous from a security perspective. Even if many uses binaries, it is important to encourage a culture where it is always trivial (well, as trivial as we can possibly make it, in the case of Windows) to build from source for those who wish to.

And what I am trying to say is that no matter how much effort gets put into trying to make build from source easy, it'll pretty much always not be even remotely trivial on Windows. There has been a lot of work done to try to achieve this, but as far as I've seen, it's always failed. One external dependency, and you're in a mess. Unless you're proposing some means of Python's packaging solution encapsulating URLs for binary libraries of external packages which will be automatically downloaded - and then all the security holes open again.

You have to remember that not only do many Windows users not have a compiler, but also getting a compiler is non-trivial (not hard, just download and install VS Express, but still a pain to do just to get (say) lxml installed). And there is no standard location for external libraries in Windows, so you also need the end user to specify where everything is (or guess, or mandate a directory structure).

The only easy-to-use solution that has ever really worked on Windows in my experience is downloadable binaries. Blame whoever you like, point out that it's not good practice if you must, but don't provide binaries and you lose a major part of your user base. (You may choose not to care about losing that group, that's a different question).

Signed binaries may be a solution. My experience with signed binaries has not been exactly positive, but it's an option. Presumably PyPI would be the trusted authority? Would PyPI and the downloaders need to use SSL? Would developers need to have signing keys to use PyPI? And more to the point, do the people designing the packaging solutions have experience with this sort of stuff (I sure don't :-))?

Paul.

More information about the Python-Dev mailing list